AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2026-02-28 · Documentation medium

File: organizations/latest/userguide/orgs_manage_policies_backup_syntax.md

Summary

Updated malware scanning configuration documentation for AWS Backup, including syntax changes for scan_actions/scan_settings, added ScanMode options (INCREMENTAL_SCAN/FULL_SCAN), and detailed example configurations for GuardDuty Malware Protection integration

Security assessment

The changes document security-focused malware scanning capabilities integrated with Amazon GuardDuty. While this adds security feature documentation (malware detection in backups), there is no evidence of addressing a specific vulnerability - rather this appears to be standard documentation for a security capability. Emphasis on IAM role permissions and scanning configurations shows security awareness but doesn't indicate remediation of a security issue.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_backup_syntax.md b/organizations/latest/userguide/orgs_manage_policies_backup_syntax.md
index f27258d9f..362f56088 100644
--- a//organizations/latest/userguide/orgs_manage_policies_backup_syntax.md
+++ b//organizations/latest/userguide/orgs_manage_policies_backup_syntax.md
@@ -116 +116,5 @@ Backup rule elements Element | Description | Required
-`scan_actions` | Specifies whether a scanning action is enabled for a given rule. You must specify a `Malwarescanner` and `ScanMode`. You must use `scan_settings` in the backup policy elements in conjunction with `scan_actions` in order for scanning jobs to start successfully. Please also ensure you have the right [IAM role permissions](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access). | No  
+`scan_actions` | Specifies whether a scanning action is enabled for a given rule. You must specify a `ScanMode`. You must use `scan_settings` in the backup policy elements in conjunction with `scan_actions` in order for scanning jobs to start successfully. Please also ensure you have the right [IAM role permissions](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access).
+
+  * `ScanMode`: This will specify what scan type you want to run at the frequency of your backup plan rule. You can choose between `INCREMENTAL_SCAN` or `FULL_SCAN`.
+
+| No  
@@ -230 +234 @@ Backup plan tag elements Element | Description | Required
-The `scan_settings` policy key specifies the tags that are attached to a backup plan itself. This does not impact the tags specified for `rules` or `selections`.
+The `scan_settings` policy key specifies the configuration for malware scanning using Amazon GuardDuty Malware Protection for AWS Backup. You must use `scan_settings` in conjunction with `scan_actions` in your backup rules for scanning jobs to start successfully.
@@ -232 +236 @@ The `scan_settings` policy key specifies the tags that are attached to a backup
-Backup plan tag elements Element | Description | Required  
+Scan settings elements Element | Description | Required  
@@ -234 +238,35 @@ Backup plan tag elements Element | Description | Required
-`scan_settings` | Each tag is a label consisting of a user-defined key and value: Configuration options for scan settings. Currently the only scan settings that is support is enable Amazon GuardDuty Malware Protection for AWS Backup. You must specify the `Malwarescanner`, `ResourceTypes`, and `ScannerRoleArn`.  | No  
+`scan_settings` | Configuration options for scan settings. Currently the only scan settings that is supported is enabling Amazon GuardDuty Malware Protection for AWS Backup. You must specify the `ResourceTypes` and `ScannerRoleArn`. 
+
+  * `ResourceTypes`: This will filter malware scanning to the resource selection criteria you have chosen. You can use `EBS`, `EC2`, `S3`, or `ALL`.
+  * `ScannerRoleArn`: This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups. View [malware protection access](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access) to see the full list of permissions required.
+
+| No  
+  
+**Example:**
+
+The following shows how to configure `scan_actions` in a backup rule and `scan_settings` at the plan level to enable Amazon GuardDuty Malware Protection scanning.
+
+`scan_actions` in a rule:
+    
+    
+    "scan_actions": {
+        "GUARDDUTY": {
+            "scan_mode": {
+                "@@assign": "INCREMENTAL_SCAN"
+            }
+        }
+    }
+
+`scan_settings` at the plan level:
+    
+    
+    "scan_settings": {
+        "GUARDDUTY": {
+            "resource_types": {
+                "@@assign": ["EBS"]
+            },
+            "scanner_role_arn": {
+                "@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole"
+            }
+        }
+    }
@@ -253,0 +292,2 @@ The example backup policies that follow are for information purposes only. In so
+  * Example 8: Backup plan with Amazon GuardDuty Malware Protection scanning
+
@@ -1276,0 +1317,108 @@ The Boolean logic is similar to what you might use in IAM policies. The `"resour
+### Example 8: Backup plan with Amazon GuardDuty Malware Protection scanning
+
+The following example shows a backup policy that enables Amazon GuardDuty Malware Protection scanning on backup recovery points. The policy uses `scan_actions` in the rule to enable scanning and `scan_settings` at the plan level to configure the scanner.
+
+To use this feature, you must have the appropriate IAM role permissions. For more information, see [Access](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access) in the _AWS Backup Developer Guide_.
+    
+    
+    {
+        "plans": {
+            "Malware_Scan_Backup_Plan": {
+                "regions": {
+                    "@@assign": [
+                        "us-east-1",
+                        "us-west-2"
+                    ]
+                },
+                "rules": {
+                    "Daily_With_Incremental_Scan": {
+                        "schedule_expression": {
+                            "@@assign": "cron(0 5 ? * * *)"
+                        },
+                        "start_backup_window_minutes": {
+                            "@@assign": "60"
+                        },
+                        "target_backup_vault_name": {
+                            "@@assign": "Default"
+                        },
+                        "lifecycle": {
+                            "delete_after_days": {
+                                "@@assign": "35"
+                            }
+                        },
+                        "scan_actions": {
+                            "GUARDDUTY": {
+                                "scan_mode": {
+                                    "@@assign": "INCREMENTAL_SCAN"
+                                }
+                            }
+                        }
+                    },
+                    "Monthly_With_Full_Scan": {
+                        "schedule_expression": {
+                            "@@assign": "cron(0 5 1 * ? *)"
+                        },
+                        "start_backup_window_minutes": {
+                            "@@assign": "60"
+                        },
+                        "target_backup_vault_name": {
+                            "@@assign": "Default"
+                        },
+                        "lifecycle": {
+                            "delete_after_days": {
+                                "@@assign": "365"
+                            }
+                        },
+                        "scan_actions": {
+                            "GUARDDUTY": {
+                                "scan_mode": {
+                                    "@@assign": "FULL_SCAN"
+                                }
+                            }
+                        }
+                    }
+                },
+                "selections": {
+                    "tags": {
+                        "scan_selection": {
+                            "iam_role_arn": {
+                                "@@assign": "arn:aws:iam::$account:role/MyBackupRole"
+                            },
+                            "tag_key": {
+                                "@@assign": "backup"
+                            },
+                            "tag_value": {
+                                "@@assign": [
+                                    "true"
+                                ]
+                            }
+                        }
+                    }
+                },
+                "scan_settings": {
+                    "GUARDDUTY": {
+                        "resource_types": {
+                            "@@assign": [
+                                "EBS"
+                            ]
+                        },
+                        "scanner_role_arn": {
+                            "@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole"
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+The key points in this example are:
+
+  * `scan_actions` is specified inside each rule. The scanner name `GUARDDUTY` is used as the key. The daily rule uses `INCREMENTAL_SCAN` and the monthly rule uses `FULL_SCAN`.
+
+  * `scan_settings` is specified at the plan level (not inside a rule). It configures the scanner role and resource types to scan.
+
+  * The `scanner_role_arn` must reference an IAM role with the `AWSBackupGuardDutyRolePolicyForScans` managed policy attached and a trust policy that allows the `malware-protection.guardduty.amazonaws.com` service principal to assume the role.
+
+
+
+